Merge pull request #8489 from MicrosoftDocs/main

Publish main to live on 9/21 @ 10:30 am

Author: v-stsavell

memdocs/configmgr/core/servers/deploy/configure/azure-services-wizard.md

@@ -45,6 +45,8 @@ Configure the following Azure services using this wizard:
 - **Microsoft Store for Business**: Connect to the [Microsoft Store for Business](../../../../apps/deploy-use/manage-apps-from-the-windows-store-for-business.md). Get store apps for your organization that you can deploy with Configuration Manager.  
 
 - **Administration Service Management**: When configuring Azure Services, for enhanced security you can select Administration Service Management option. Selecting this option allows administrators to segment their admin privileges between [cloud management](../../../clients/manage/cmg/overview.md) and [administration service](../../../../develop/adminservice/overview.md). By enabling this option, access is restricted to only administration service endpoints. Configuration Management clients will authenticate to the site using Azure Active Directory. *(version 2207 or later)*
+    > [!NOTE]
+    > Only CMG VMSS customers can enable administrative service management option. This option is not applicable for classic CMG customers. 
 
 ### Service details
 

memdocs/intune/apps/manage-without-gms.md

@@ -8,7 +8,7 @@ keywords:
 author: Erikre
 ms.author: erikre
 manager: dougeby
-ms.date: 12/16/2021
+ms.date: 09/16/2022
 ms.topic: conceptual
 ms.service: microsoft-intune
 ms.subservice: apps
@@ -33,6 +33,9 @@ ms.collection: M365-identity-device-management
 
 Microsoft Intune uses Google Mobile Services (GMS) to communicate with the Microsoft Intune company portal when managing Android devices. In some cases, devices may temporarily or permanently not have access to GMS. For example, a device might ship without GMS, or the device may be connecting to a closed network where GMS is not available. This document summarizes the differences and limitations you may observe when installing and using Intune to manage Android devices without GMS.
 
+> [!NOTE]
+> These GMS related limitations also apply to Device Administrator management and Android (AOSP) Management.
+
 ## Install the Intune Company Portal app without access to the Google Play Store 
 
 ### For users outside of People's Republic of China
@@ -43,7 +46,7 @@ If Google Play isn't available, Android devices can download the [Microsoft In
 
 Because the Google Play Store is currently not available in People's Republic of China, Android devices must obtain apps from Chinese app marketplaces. For more information, see [Install the Company Portal app in People's Republic of China](../user-help/install-company-portal-android-china.md).
 
-## Limitations of Intune device administrator management when GMS is unavailable 
+## Limitations of Intune management when GMS is unavailable 
 
 ### Unavailable Intune features
 
@@ -76,6 +79,10 @@ The following tasks can require up to 8 hours to finish:
 - Device reset
 - Installation of available line-of-business apps
 
+**Intune app for Android (AOSP)**:
+- Remote device removal
+- Device reset
+
 **Intune Company Portal website**:
 - Device removal (local and remote)
 - Device reset

memdocs/intune/developer/app-wrapper-prepare-ios.md

@@ -96,7 +96,7 @@ You will need the following to distribute apps wrapped by Intune:
 
 8. After agreeing to license, finish by **purchasing and activating the program**.
 
-9. If you are the team agent (the person who joins the Apple Developer Enterprise Program on behalf of your organization), build your team first by inviting team members and assigning roles. To learn how to manage your team, read the Apple documentation on [Managing Your Developer Account Team](https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ManagingYourTeam/ManagingYourTeam.html#//apple_ref/doc/uid/TP40012582-CH16-SW1).
+9. If you are the team agent (the person who joins the Apple Developer Enterprise Program on behalf of your organization), build your team first by inviting team members and assigning roles. To learn how to manage your team, read the Apple documentation on [Managing Your Developer Account Team](https://help.apple.com/developer-account/#/dev3e8818774).
 
 ### Steps to create an Apple signing certificate
 
@@ -346,7 +346,7 @@ The App Wrapping Tool for iOS has some requirements that must be met in order to
 
 ## Setting app entitlements
 
-Before wrapping your app, you can grant *[entitlements](https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AboutEntitlements.html)* to give the app additional permissions and capabilities that exceed what an app can typically do. An *entitlement file* is used during code signing to specify special permissions within your app (for example, access to a shared keychain). Specific app services called *capabilities* are enabled within Xcode during app development. Once enabled, the capabilities are reflected in your entitlements file. For more information about entitlements and capabilities, see [Adding Capabilities](https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/AddingCapabilities/AddingCapabilities.html) in the iOS Developer Library. For a complete list of supported capabilities, see [Supported capabilities](https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/SupportedCapabilities/SupportedCapabilities.html).
+Before wrapping your app, you can grant *[entitlements](https://developer.apple.com/library/content/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AboutEntitlements.html)* to give the app additional permissions and capabilities that exceed what an app can typically do. An *entitlement file* is used during code signing to specify special permissions within your app (for example, access to a shared keychain). Specific app services called *capabilities* are enabled within Xcode during app development. Once enabled, the capabilities are reflected in your entitlements file. For more information about entitlements and capabilities, see [Adding Capabilities](https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/AddingCapabilities/AddingCapabilities.html) in the iOS Developer Library. For a complete list of supported capabilities, see [Supported capabilities](https://help.apple.com/developer-account/#/dev21218dfd6).
 
 ### Supported capabilities for the App Wrapping Tool for iOS
 

memdocs/intune/enrollment/enrollment-notifications.md

@@ -0,0 +1,124 @@
+---
+# required metadata
+
+title: Set up enrollment notifications in Intune
+titleSuffix: Microsoft Intune
+description: Set up enrollment notifications in Intune for employees or students. 
+keywords:
+author: Lenewsad
+ms.author: lanewsad
+manager: dougeby
+ms.date: 09/20/2022
+ms.topic: how-to
+ms.service: microsoft-intune
+ms.subservice: enrollment
+ms.localizationpriority: high
+ms.technology:
+ms.assetid: 
+
+# optional metadata
+
+#ROBOTS:
+#audience:
+
+ms.reviewer: maholdaa  
+ms.suite: ems
+search.appverid: MET150
+#ms.tgt_pltfrm:
+ms.custom: intune-azure 
+ms.collection: M365-identity-device-management
+---
+
+# Set up enrollment notifications   
+
+> [!IMPORTANT]
+> This feature is in public preview. For more information, see [Public preview in Microsoft Intune](../fundamentals/public-preview.md).  
+
+[!INCLUDE [azure_portal](../includes/azure_portal.md)]
+
+Set up enrollment notifications in Microsoft Intune to notify employees of newly-enrolled devices. You can create a custom message for employees and include information in the notification about how to report an unrecognized device. 
+
+Intune delivers enrollment notifications via email or push notification. You can apply your tenant's branding and customization settings to email notifications. 
+
+Enrollment notifications work on devices running:  
+
+* Android  
+* iOS/iPadOS
+* macOS 
+* Windows 10/11 
+
+This article describes how to create enrollment notifications in the Microsoft Endpoint Manager admin center.  
+
+## Example  
+The following example image shows what the enrollment notification looks like to the device user.  
+
+> [!div class="mx-imgBorder"] 
+> ![Example image of an enrollment notification configured in Intune, notifying the recipient that a device named *Nia's iPhone" was enrolled, and includes HTML elements such as bolded font and a hyperlink, device details, contact information, and privacy statement.](./media/enrollment-notifications/enrollment-notification-message.png)  
+
+## Prerequisites  
+To create an enrollment notification, you must: 
+
+* Be a Global Administrator or Intune Administrator. 
+* [Configure branding and customization settings](../apps/company-portal-app.md) in **Tenant administration** > **Customization**.  
+
+Enrollment notifications only work with user-driven enrollment methods.   
+
+## You should know  
+Email notifications appear in the user's inbox. Push notifications appear in the Intune Company Portal apps for iOS/iPadOS, macOS, and Android.  Enrollment push notifications aren't supported in the Company Portal for Windows, so they'll never appear there.  
+
+## Create an enrollment notification  
+
+> [!TIP]
+> Use the built-in HTML editor to format and style email notifications. Intune supports the following HTML tags: `<a>`, `<strong>`, `<b>`, `<u>`, `<ol>`, `<ul>`, `<li>`, `<p>`, `<br>`, `<code>`, `<table>`, `<tbody>`, `<tr>`, `<td>`, `<thead>`, and`<th>`. It also supports the `href` attribute for hyperlinks.  
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).  
+2. Go to **Devices** > **Enroll device** and select the platform you're creating notifications for. Your options:  
+   * **Windows enrollment**  
+   * **Apple enrollment**  
+   * **Android enrollment**    
+3. Select **Enrollment notifications (preview)**.  
+4. Select **Create notification**. For Apple and Android notifications, select the OS platform you're configuring the notifications for. 
+
+    Your options for Apple enrollment are:  
+      * **iOS Notifications**  
+      * **macOS Notifications**  
+
+   Your options for Android enrollment are:  
+      * **Android Enterprise Notifications**  
+      * **Android device administrator Notifications**  
+5. In **Basics**, configure the following settings:  
+    * **Name**: Enter a descriptive name for the notification. Name your notifications so you can easily identify them later.  
+    * **Description**: Enter a description for the notification. This setting is optional, but recommended.  
+6. Select **Next**.  
+7. In **Notification settings**, configure the notification messages. 
+
+    The options for push notifications are:  
+    * **Send Push Notification**: Flip the switch **On** to enable and create a push notification.
+    * **Subject**: Enter the subject of the enrollment notification.  
+    * **Message**: Enter your message, explaining the purpose of the notification. The character limit is 2000.  
+
+    The options for email notifications are:  
+      * **Send Email Notification**: Flip the switch **On** to enable and create an email notification.   
+      * **Subject**: Enter the subject of the enrollment notification.  
+      * **Message**: Enter your message. The character limit is 2000.  
+      * **Raw HTML editor**: Flip the switch **On** to enable HTML formatting.  
+
+    The options for branding and customization are:  
+
+    * **Show company logo**: Flip the switch **On** to make your organization's logo visible in the email header. This option becomes available after you've configured Company Portal branding in your tenant.   
+    * **Show device details**: Flip the switch **On** to make the following device details visible in the footer of the email:  
+         * Device name  
+         * Model  
+         * OS  
+         * OS version  
+         * Serial number  
+    * **Show company name**: Flip the switch **On** to make your organization's name visible in the footer of the email. The tenant value is automatically populated.  
+    * **Show contact information**: Flip the switch **On** to show your organization's contact information. The tenant value is automatically populated.  
+    * **Show Company portal website link**: Flip the switch **On** to show a link to the Company Portal website. The tenant value is automatically populated. 
+8. Select **Next**. 
+9. Optionally, assign a scope tag, like `US-NC IT Team` or `JohnGlenn_ITDepartment`, to limit management of the notification to specific IT groups. Then select **Next**.  
+10. In **Assignments**, select the users or groups that will receive your profile. You can also apply assignment filters, which are available for Windows and Apple devices.   
+11. Select **Next**. 
+12. In **Review + create**, review the notification details, and then select **Create**.  
+
+Enrollment notifications are sent out to assigned groups when enrollment is triggered. Return to **Enrollment notifications (preview)** to view and edit notifications, or change priority level. 

memdocs/intune/enrollment/media/enrollment-notifications/enrollment-notification-message.png

@@ -46,6 +46,8 @@ items:
   - name: Require multi-factor authentication  
     href: multi-factor-authentication.md
     displayName: mfa; multifactor   
+  - name: Set up enrollment notifications 
+    href: enrollment-notifications.md 
   - name: Set up Windows enrollment
     items:
     - name: Windows enrollment methods

memdocs/intune/enrollment/toc.yml

@@ -52,7 +52,7 @@ Because the China services are operated by a partner from inside China, there ar
   - Google Play Protect capabilities such as SafetyNet device attestation.
   - Managing apps from the Google Play Store.
   - Android Enterprise capabilities. For more information, see this [Google documentation](https://support.google.com/work/android/answer/6270910?hl=en).
-- The Intune Company Portal app for Android uses Google Mobile Services  to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this [article](../apps/manage-without-gms.md#limitations-of-intune-device-administrator-management-when-gms-is-unavailable). 
+- The Intune Company Portal app for Android uses Google Mobile Services  to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this [article](../apps/manage-without-gms.md#limitations-of-intune-management-when-gms-is-unavailable). 
 - To follow local regulations and provide improved functionality, the Intune client experience (Company Portal app) may differ in China.
 - Fencing isn't available.
 - Mobile Application Management (MAM) availability is conditional on those apps being available in People's Republic of China.

memdocs/intune/fundamentals/china.md

@@ -119,7 +119,7 @@ Depending on how you choose to manage Android devices, you may need to open the
 
 > [!NOTE]
 > Because Google Mobile Services isn't available in China, devices in China managed by Intune can't use features that require Google Mobile Services. These features include: Google Play Protect capabilities such as SafetyNet device attestation, Managing apps from the Google Play Store, 
-Android Enterprise capabilities (see this [Google documentation](https://support.google.com/work/android/answer/6270910)). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this [article](../apps/manage-without-gms.md#limitations-of-intune-device-administrator-management-when-gms-is-unavailable).
+Android Enterprise capabilities (see this [Google documentation](https://support.google.com/work/android/answer/6270910)). Additionally, the Intune Company Portal app for Android uses Google Mobile Services to communicate with the Microsoft Intune service. Because Google Play services isn't available in China, some tasks can require up to 8 hours to finish. For more information, see this [article](../apps/manage-without-gms.md#limitations-of-intune-management-when-gms-is-unavailable).
 
 ### Android (AOSP)